Joel Brennerhttp://joelbrenner.com
Author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and WarfareWed, 15 Jul 2015 16:18:12 +0000en-UShourly1Forty Years After Church-Pike: What’s Different Now?http://joelbrenner.com/forty-years-after-church-pike-whats-different-now-2/
http://joelbrenner.com/forty-years-after-church-pike-whats-different-now-2/#commentsWed, 20 May 2015 14:04:17 +0000jbrennerhttp://joelbrenner.com/?p=630This is the Henry F. Schorreck Memorial Lecture that I delivered at the National Security Agency

May 15, 2015

_____

About ten years ago, when I was the inspector general here, I found myself one day in Hawaii, under the Pineapples, and by coincidence there was at the same time a conference nearby of the agency’s training staff from all over the Pacific region. And one of them came to me and said, We do all this training about the legal restrictions on our activities — USSID 18 and Executive Order 12333 and all that – and we know it’s a big deal, but none of the people we’re training know why we’re doing it. And then after a pause she said: And frankly, we’re not sure either.

I had lived through the upheavals of the late ‘sixties and the ‘seventies – the Vietnam War, the intelligence scandals, the Nixon impeachment, and the implementation of the legislative and regulatory framework that we impliedly refer to every time we say that this agency operates under law. Younger people had not.

We Americans don’t take instructions well if we don’t understand the reasons for them. And so I decided it was incumbent on us to tell and re-tell the story of how and why the United States became the first nation on earth to turn intelligence into a regulated industry. But the story isn’t entirely behind us. It continues. And so this morning I’m not only going to recount what happened in the ’seventies; I’m also going to address the Agency’s position in the wake of the Snowden leaks, and how we got here. Because insofar as NSA has again been in the public’s doghouse (It is certainly not in the policymakers’ dog house), it is for very different reasons from those in 1976, and that difference is worth reflecting on.

Let’s go back to January 1970, when a former Army captain in military intelligence, Christopher Pyle, disclosed in the Washington Monthly that the U.S. Army intelligence had more than a thousand plainclothes agents surveilling every significant political demonstration in the United States.[2] According to Pyle’s account, the Army kept “files on the membership, ideology, programs, and practices of virtually every activist political group in the country . . . including . . . the Southern Christian Leadership Conference, Clergy and Laymen United Against the War in Vietnam, the American Civil Liberties Union, Women Strike for Peace, and the National Association for the Advancement of Colored People.”[3] It also kept a “Blacklist” of “people who might cause trouble for the Army.”[4] There had been violent, destructive race riots in Los Angeles in 1965, in Detroit in 1967, and then in April 1968 in Washington after Rev. Martin Luther King, Jr. was assassinated. Two months later, Bobby Kennedy was assassinated. That same year, the Soviet Army moved into Prague, the Fifth Republic in France nearly fell as a result of massive domestic unrest, and Chicago during the 1968 Democratic National Convention was the scene of serious street violence. Lest anyone forget, we were also deep in the Cold War, early in the Brezhnev years, and the antiwar movement unquestionably included a small but violent far-left element. Stability was a genuine concern of sober people.

The scope of the Army’s domestic spying was nevertheless unauthorized in law, out of control, and plainly political. In the Army’s eyes, dangerous people included Coretta Scott King, Georgia State Representative Julian Bond, folk singer Arlo Guthrie, and former military officers who opposed the Vietnam War. In Colorado Springs, the leader of a church youth group attended a peaceful antiwar protest; in response, the Army infiltrated his church. In Kansas City, the Army asked local high schools and colleges to turn over the names of ‘potential trouble makers’ and anyone who was ‘too far left or too far right.’” Classroom statements by teachers and students found their way into police and Army files.[5] Based on Pyle’s account, Senator Sam Ervin, a conservative southern Democrat from North Carolina and chairman of the Senate Judiciary Committee, opened hearings, but they ran into a wall because the Executive Branch, citing executive privilege and “national security,” declined to provide much information. This episode nevertheless opened the first, small wedge into a system of government secrecy that had been little questioned since 1941.

The Army hearings were not the beginning of the American public’s distrust of government, but by 1970, trust was running out on a strong ebb tide. Just to color the picture a bit brighter, in April 1970, the United States secretly expanded the Vietnam War into Cambodia, but the operation was leaked and produced vehement opposition. On May 4, frightened and undisciplined Ohio National Guard troops fired into a crowd of student demonstrators at Kent State University, killing four and wounding nine. In July, a cabal of radicals blew up the Army Math Research Center at the University of Wisconsin, killing a graduate student. The Weather Underground planned further bombings.

The sense of anxiety and pessimism was profound, and lots of people really did seem to believe, as the song said, that we were on the eve of destruction. (That song was actually written in 1964, but it had long legs.)

On December 22, 1974, the New York Times published a front-page story by Seymour Hersh about a CIA program called “family jewels.” It began this way:

The Central Intelligence Agency, directly violating its charter, conducted a massive, illegal domestic intelligence operation during the Nixon Administration against the antiwar movement and other dissident groups in the United States, according to well-placed Government sources.

An extensive investigation by The New York Times has established that intelligence files on at least 10,000 American citizens were maintained by a special unit of the C.I.A. that was reporting directly to Richard Helms, then the Director of Central Intelligence ….

This article is worth your reading, or re-reading after forty-one years – and not only for the mood of the country and the revelations themselves. It also lays out the unbelievably bad blood between the FBI and the CIA and the intentional freezing of cooperation between them. The seeds of the next generation’s intelligence problem were there to see, unnoticed in plain view.

Just two weeks after Hersh’s article, in January 1975, the Senate convened a Select Committee to Study Governmental Operations with Respect to Intelligence Activities, chaired by Senator Frank Church of Idaho. The Committee’s work had support from both sides of the aisle. A similar committee convened in the House under Rep. Otis G. Pike of New York, but the Senate version under Church was the more significant. It published fourteen reports in 1975-76 on intelligence agency activities, probably the most such comprehensive reports in history, in any country. The reports detailed the CIA’s habit of opening our mail, NSA’s domestic interception programs, and CIA’s human subject research – including a notorious instance of LSD administered to an unwitting subject who, in a hallucinating fit, jumped out a window to his death. They also went deeply into intelligence activities overseas as well as at home, disclosing assassination plots against the Diem brothers of Vietnam, Patrice Lumumba in the Congo, General René Schneider in Chile, and Rafael Trujillo in the Dominican Republic, as we as the failed plan to use the Sicilian Mafia to kill Fidel Castro. Coups against the governments of Arbenz in Guatemala and Mosadegh in Iran were also exposed.

The country was stunned by the systematic domestic surveillance, and shocked to learn that assassination was a tool of American foreign policy. It was as if we Americans had eaten of the fruit of the Tree of Knowledge. We had lost our innocence and the belief in the purity of our methods as well as our intentions.

Revelations about the FBI were, if possible, even more stunning. For 17 years, from 1956 to 1973, the Bureau under J. Edgar Hoover had run a covert program called COINTELPRO, for Counterintelligence Program. It had antecedents at least back to World War I. Its initial purpose was to assess the activities of the Communist Party of the U.S., but it eventually included surveillance of Senators Howard Baker and Church (who were the ranking member and chairman of the Senate Foreign Relations Committee), the women’s movement, nearly all groups opposing the Vietnam War, Albert Einstein, and many civil rights leaders. Hoover loathed Martin Luther King, Jr., and after the March on Washington in 1963, he called King “the most dangerous Negro of the future in this nation from the standpoint of communism, the Negro, and national security.” The FBI systematically bugged King’s home and hotel rooms. By the way, much of the surveillance was personally approved by Attorney General Robert F. Kennedy – who later discovered he too had been a target of FBI surveillance.

On November 21, 1964, the FBI sent an anonymous package to King that contained audio recordings of his sexual indiscretions together with a letter that said: “There is only one way out for you. You better take it before your filthy, abnormal, fraudulent self is bared to the nation.” The FBI was encouraging King to commit suicide.

Hoover, by the way, was regarded by several presidents as too powerful to remove from office because he was known or believed to have dossiers on them with embarrassing information.

NSA, meanwhile, was running two projects called SHAMROCK and MINARET. SHAMROCK began in August 1945 – the month Japan surrendered – and involved the collection by NSA’s predecessor, the Armed Forces Security Agency and then by NSA, of all telegraphic traffic entering or leaving the United States. Western Union, RCA, and ITT gave the agency direct daily access to microfilm copies of this traffic – up to 150,000 messages per month. There was wartime precedent for this, but the scope of the collection, and its conduct in peacetime, was a different story.

MINARET was a related project by which NSA intercepted electronic communications of 1,650 people who were on a watch list. There were no warrants and no judicial oversight of these activities, which were simply assumed to be the normal activities of a foreign intelligence agency. The targets included Senators Church and Baker, many critics of the Vietnam War, King, Whitney Young, Muhammad Ali, Tom Wicker of the New York Times, and Washington Post columnist Art Buchwald. After the Church Committee disclosed these programs, then-NSA Director Lew Allen shut them down. The director’s testimony before the Committee was the first time since NSA’s founding in 1952 that any director had publicly testified before Congress; it was also the first time that NSA’s existence was publicly acknowledged. Before then, NSA really did stand for “No Such Agency.” (Now it stands for “Not Secret Anymore.”)

I think it fair to say, and important to say, that everyone associated with these various programs thought that he was a patriot acting in the national interest. Which is precisely why subjective notions of patriotism and national security are insufficient guides for people and agencies that claim to operate under law in a democratic republic. (Snowden and Hoover actually represent converse instances of unmoored, egotistical arrogation to oneself of the right to determine the public good. The comparison will annoy their respective admirers. So much the better. They should think about it.)

The Church-Pike hearings were watershed events in our nation’s history, psychologically as well as politically, and they led directly to the legal structures you operate under today. President Ford’s Executive Order 11905, later modified and reissued by President Reagan as E.O. 12333 in substantially the form we now know it; the creation of the House and Senate permanent select committees on intelligence; the Foreign Intelligence Surveillance Act of 1978; the Inspector General Act of 1978; and USSID 18 (originally issued in 1980) – not to mention drastic budget cuts in intelligence – all these were the direct product of the Church-Pike hearings and reports.

Because of the hearings whose anniversary we celebrate today, the men and women of the intelligence community operate with a profoundly different mindset. You take orders from a democratically elected government, and you answer to an independent judiciary. This is the “why.” This is the answer to the question put to me that day in Hawaii. This is the history we must teach to our successors.

I’m glad to say that NSA did not repeat the mistakes of the period that led to the Church-Pike hearings. Okay, then, so how did we get in the doghouse this time?

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND.[6] That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington. Under periodically renewed Presidential orders, NSA collected two kinds of intelligence: First, the contents of communications between a person outside the United States with a known connection to Al Qaeda or certain affiliated organizations, and a person inside the country; and second, bulk metadata in order to chain off the domestic link. In my judgment, any President who had failed to order such surveillance on an emergency basis immediately after 9/11 would have been derelict. The President’s first duty is to protect the nation, and the fear of further attack was palpable. You could smell it. But under statute, the interceptions were not permissible without a FISA order because they were taken from a wire inside the United States; and FISA did not permit metadata collection at all. Under prevailing law, metadata, which is analogous to the information on the outside of a mailed envelope, may have had no Constitutional protection. But the bulk collection of that data was a watershed political event in the history of American intelligence and in American politics. As an emergency matter, there’s no question in my mind that the President had the power under Article II of the Constitution to order this collection – both kinds. But how long does an emergency last? (An emergency usually doesn’t come with a specific expiration date like a quart of milk, but claims of emergency do get sour.)

Now, it was the view in the White House that the President did have the power to collect this intelligence on a permanent basis. And I am persuaded that the White House, and certainly the Office of the Vice President, believed that FISA was an unconstitutional limitation on the President’s Article II power in all circumstances. This was an odd view, because Article I, Section 8 of the Constitution gives Congress the power to regulate interstate and foreign commerce, and that includes telecommunica­tions. Under well-settled law, Congress cannot exercise its power in a manner that makes it impossible for the Executive to carry out its Constitutional duties, but it can regulate that exercise in a reasonable manner.

Both the NSA General Counsel at the time, Bob Deitz, and I looked for guidance in this situation to one of the more famous passages of Twentieth Century Constitutional law, and I’m going to read you a short bit of it. It’s by Justice Robert Jackson, concurring in the Supreme Court’s decision striking down President Truman’s seizure of the steel mills on national security grounds. Jackson is talking about Presidential power in a divided government and the point at which law and politics cannot be separated. The President’s power fluctuates, Jackson observed, depending upon Congress’ exercise of its power. He saw three possibilities:[7]

When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate.

When the President acts in the absence of either a congressional grant or denial of authority, he can only rely upon his own independent powers, but there is a zone of twilight in which he and Congress may have concurrent authority, or in which its distribution is uncertain. …In this area, any actual test of power is likely to depend on the imperatives of events and contemporary imponderables rather than on abstract theories of law.

When the President takes measures incompatible with the expressed or implied will of Congress, his power is at its lowest ebb ….

In my view, President Bush’s STELLAR WIND orders fell into the third category – at least, I thought they did after some fairly brief but indeterminate emergency. (This was not the Administration’s view. They thought the Authorization for Use of Military Force impliedly granted the power to implement STELLAR WIND. That was a serious argument, but it was based on debatable inferences; so even accepting that view, I thought the President was in the twilight zone.) You may know that after President Lincoln unilaterally suspended habeas corpus during the Civil War on the grounds that it was necessary to save the Union, he went to Congress to get his action ratified. President Bush chose not to do that. So I put the question to NSA’s senior leadership: Why don’t we amend FISA, which we could easily have done in the aftermath of 9/11, and do this collection under statute? This was actually an academic question, because policy was being driven, and driven hard, by Addington, who detested the FISA statute. “We’re one bomb away from getting rid of that obnoxious [FISA] court,” he would say.[8] But the answer I got here at the Fort was interesting. It was that amending FISA would require a public debate; that the public debate would educate our adversaries; and that we would lose intelligence as a result. My response was that the program could not be kept secret forever, and that its eventual disclosure would create a firestorm and divide the country. The broad unity of the country behind the agency’s activities was a strategic asset; the loss of collection was likely to be tactical and temporary; and sacrificing a strategic asset for tactical advantage was as foolish in politics as it is in military operations. Better, I said, to amend the statute. But Inspectors General do not make policy, and they are not consulted about it, nor should they be.

Sooner or later this program’s cover was going to be blown, and on December 16, 2005, it happened: The New York Times exposed the interception part of the program (but not the bulk metadata portion), amid accusations that NSA was engaged in “domestic” spying because it was intercepting communications involving Americans. In my view that was a distorted description, but when you’re explaining, you’re losing. This was the beginning of a shift in public opinion that until then had, on the whole, been highly supportive of our intelligence agencies. Suddenly we faced a country that was seriously divided about our activities.

Most of the criticism actually had little to do with the merit of the interceptions, just the authority for it. Nor surprisingly, the inflammatory publicity attendant on the STELLAR WIND disclosure and the resulting damage to actual collection, to NSA’s reputation, and to our public support were far greater than any damage that would have occurred if the program, and the reasons for it, had been publicly discussed at the outset and the FISA statute amended.

Ladies and gentlemen, democracies distrust power and secrecy and are right to do so. Intelligence agencies are powerful and secret. To square that circle, two conditions must be met: The rules under which they operate must be clear to the public and authorized by law, and the public must have reason to believe that the rules are being followed. STELLAR WIND failed to meet those requirements, and NSA paid for it in loss of public trust.

Again, a lesson was learned – but imperfectly. FISA was amended in 2008, but only after a rancorous public debate, and the statute is frankly a bit of a mess. Still, you follow that statute.

And then in 2013 came Mr. Snowden. Overseas, people were stunned to learn how extremely good NSA really is at its business – sometimes at their expense. You were being criticized for being too good. And of course the dough of outrage rose higher and higher when leavened with the yeast of hypocrisy.

But why did the Snowden leaks hurt so badly here in our own country? There hasn’t been even a whiff of intelligence abuse for political purposes. This was the only intelligence scandal in history involving practices approved by Congress and the federal courts and the President, and subject to heavy oversight. How did this happen?

The answer, I think, goes back to the power-and-secrecy principle and to the evolution of our representative democracy in the digital age. NSA was operating under statute – but ordinary, intelligent, educated Americans could not have looked at that statute and understood that it meant what the FISA Court interpreted it to mean. The intelligence committees knew. Any member of Congress who wanted to know either did know or could have known. (I discount the hypocrisy from that quarter, and the Second Circuit Court of Appeals’ opinion last week is just wrong about that.) But it is true that the FISA Court’s expansive interpretation of the law was secret. So the argument that the Agency was operating under “secret law” had legs with the public, much of which is allergic to bulk collection and doubts its value.

We had amended FISA, yes, but our leaders had failed to absorb the transparency lesson. You now live in a glass house. How could anyone think the bulk collection program would remain secret? I’m not telling you there are no more secrets. You still have plenty of them. I am telling you that with instantaneous electronic communications, secrets are hard to keep; and that which can be kept secret does not stay secret for long. The idea that the broad rules governing your activities – not specific operations, but the broad rules – can be kept secret is a delusion. And they shouldnot be kept secret. Leaders who do not understand this will continue to make strategic blunders. I do not state this as a policy preference. I state it as a fact of life that political leaders and intelligence agencies – I mean you – must take into account as you make decisions about what can be, and should be, kept secret – and about what activities you can and should undertake.

I should note that even if the general counsel or the Director had given different advice to President Obama about bulk collection, it would not have been followed. The fight in 2008 was bruising enough. The White House had no appetite for more FISA battles. In any case, that was the President’s call – not the Director’s. The Director was on the right side of the law. Would the program be unpopular? Maybe. But we do our work. We keep our heads down. Sometimes we take some punches for it. Besides, there’s always a political faction that doesn’t like us no matter what. Tough luck. If it’s legal, we do our work.

But in retrospect there’s a lesson to learn. The public, not just the three branches of government, must know what kinds of things we are allowed to collect domestically.

If you disagree with me on this, do your own damage assessment. In the wake of Snowden, our country has lost control of the geopolitical narrative; our companies have lost more than $100 billion in business and counting. Collection has surely suffered. The damage from the Snowden leaks to American foreign intelligence operations, to American prestige, and to American power – not to mention the damage to morale and to personnel retention right here at Fort Meade – has unquestionably been vastly greater than if the Executive Branch had determined from the outset to amend FISA back in 2002 to permit the activities the White House felt necessary to protect the country.

Do you reply that the Congress in late 2001 or in 2002 might not have permitted NSA to do it? I doubt it. But even so, in a functioning representative democracy, this Agency cannot keep the nation safer than the nation, acting through its elected representatives, wants to be kept.

We learned the hard lessons of 1976. Let’s now think hard and learn this lesson too. And let’s teach it to those who come after us.

Thank you for the opportunity to address you. What you do is enormously important, and I count it a great privilege to have served among you.

[1] Joel Brenner was the Inspector General of the National Security Agency from 2002-2006; the National Counterintelligence Executive in the Office of the Director of National Intelligence from 2006-2009; and senior counsel at NSA from 2009-10. He now maintains a private law and consulting practice and is the Robert F. Wilhelm Fellow at the Massachusetts Institute for Technology’s Center for International Studies.

President Obama yesterday signed an executive order that will put serious economic pressure on organized cyber criminals operating from overseas and on foreign companies that benefit from the cyber theft of American trade secrets and other intellectual property. I have previously criticized this administration for bringing too little, too late to this fight, but this order has real teeth. The President has moved beyond palliatives.

The order permits the government to freeze the assets of anyone who engages in, or who is complicit in, cyber attacks from abroad that harm or attempt to harm organizations “in a critical infrastructure sector.” That sector, defined in regulation, now includes a wide swath of the economy, including banks, energy, and pharmaceuticals, all of which are being relentlessly attacked over our networks. Anyone who uses cyber means to steal trade secrets, money, or intellectual property “for commercial or competitive advantage or private financial gain” is also subject to the order.

These provisions alone would not accomplish much because cyber thieves are hard to catch and are usually protected by uncooperative governments, chiefly in Russia and China. So the order goes farther. In the case of stolen intellectual property, it permits the government to freeze the assets of any company that benefits from the stolen property, “knowing it to be stolen.” That knowledge is easily supplied, either to company that manufactured the widgets or the U.S. company that imported them. The goods would then be subject to seizure.

The order also covers the property of people and companies acting directly or indirectly on behalf of parties whose property is blocked by the order. If you’re an estate agents in Mayfair, for example, you must now think very carefully before handling the property of Russian Mafiosi who has been or could be tied to cyber crime. If you do, you can now be excluded from entry into the United States, and if your agency has an office in Beverly Hills or Manhattan, the whole operation can be seized, kit and caboodle. Banks, which already have a headache trying to “know their customers,” will require even more aspirin.

This order was made under statutes that give the President emergency powers. Invoking them was a big step. It was based on the President’s finding that “increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.” True enough. Well done, Mr. President. It’s now up to the Treasury Secretary to put this order into effect through regulations. Let’s get going, Mr. Secretary.

]]>http://joelbrenner.com/bringing-out-the-big-stick/feed/0Let’s Stop Playing Whac-a-Mole on our networkshttp://joelbrenner.com/lets-stop-playing-whac-a-mole-on-our-networks/
http://joelbrenner.com/lets-stop-playing-whac-a-mole-on-our-networks/#commentsWed, 21 Jan 2015 16:00:01 +0000jbrennerhttp://joelbrenner.com/?p=615The White House has been slow to the cyber defense problem and continues to miss the boat. For years we’ve been playing Whac-a-Mole, but there are too many moles in the garden to whack. The President’s proposal for better information sharing with the private sector would be a good thing; Congress should pass that bill. But it would not touch the underlying weaknesses in the networks. Nor would heavier penalties for cyber fraud or a uniform national breach reporting law. In Politico today I lay out five steps we could take that could really make us safer.
]]>http://joelbrenner.com/lets-stop-playing-whac-a-mole-on-our-networks/feed/0Merely an attack on a German steel producer — or is it a message to Germany?http://joelbrenner.com/merely-an-attack-on-a-german-steel-producer-or-is-it-a-message-to-germany/
http://joelbrenner.com/merely-an-attack-on-a-german-steel-producer-or-is-it-a-message-to-germany/#commentsFri, 19 Dec 2014 16:48:13 +0000jbrennerhttp://joelbrenner.com/?p=595This link will take you to an account of a sophisticated, network-enabled attack on a German steel producer that disrupted production and caused physical damage to a blast furnace. We are the beginning, not the end, of an era in which proliferating and uncontrollable expertise, backed by very little capital, can be leveraged to cause huge damage to critical systems that reside on the same vulnerable infrastructure that supports middle school chit chat.
]]>http://joelbrenner.com/merely-an-attack-on-a-german-steel-producer-or-is-it-a-message-to-germany/feed/0State-Sponsored IP Theft: The Huge Hole in the WTO — and How to Fix Ithttp://joelbrenner.com/state-sponsored-ip-theft-the-huge-hole-in-the-wto-and-how-to-fix-it/
http://joelbrenner.com/state-sponsored-ip-theft-the-huge-hole-in-the-wto-and-how-to-fix-it/#commentsWed, 17 Dec 2014 23:04:02 +0000jbrennerhttp://joelbrenner.com/?p=585How is it that the world’s trading nations, including Russia and China, are obligated by treaty to protect other nationals’ intellectual property within their own borders, but are free to steal it when operating abroad? Near-universal digitization of information and pervasive connectivity have turned state-sponsored IP theft into a plague. The World Trade Organization was created in 1994 — just before the digital revolution shook up commercial and personal life. It was meant to bring IP into the world of “honest commercial practices in international trade,” but the treaty came too early to deal with cross-border, network-enabled IP theft. This is a huge hole in the way the WTO works, and it’s time to fix it. This will be hard and will require a sustained diplomatic effort. This month, in an an article called “The New Industrial Espionage” in The American Interest, I lay out a case for how it could be done.
]]>http://joelbrenner.com/state-sponsored-ip-theft-the-huge-hole-in-the-wto-and-how-to-fix-it/feed/0A Reflection on Veterans’ Day 2014http://joelbrenner.com/a-reflection-on-veterans-day-2014/
http://joelbrenner.com/a-reflection-on-veterans-day-2014/#commentsFri, 14 Nov 2014 18:17:33 +0000jbrennerhttp://joelbrenner.com/?p=574I had the good fortune this Veterans’ Day to participate in a panel on surveillance sponsored by the ACLU at Harvard Law School and moderated by Professor Jonathan Zittrain, and the equal good fortune to have as fellow panelists federal appellate Judge Alex Kozinsky and the ACLU’s Alex Abdo. It was fitting, on the day we remove our hats to those who served in our military, to recall the liberties for which they served and to wrestle with the relationship of liberty and security. Rather than retail the high-minded sentiments we’ve all heard on that subject, however, I want to repeat something I said at NSA when I became that agency’s inspector general in 2002.

If one draws a Venn diagram of two circles on a page, one circle representing those who care deeply about civil liberties and another representing those who care deeply about national security, they hardly overlap. By “care deeply,” I don’t mean a distracted shrug in the right directions. I mean taking the time and trouble to know and speak up about abuses of liberty that even in the best of times occur around us, and to understand the military and other structures, but especially the military and those who serve in it, that make us secure. This separation of concerns, and even worse, the sociological separation of interested groups, has grown decidedly greater since the creation of a volunteer military. Less than one percent of Americans now serve in the military. As a result, knowledge of military affairs in the public and in Congress may be at an historic and lamentable all-time low.

The two circles on my Venn diagram will never be perfectly superimposed. Sociological as well as ideological factors push them apart. They nevertheless represent values that in a decent civil society can never be separated. It was clear to me as I assumed my duties at NSA in 2002 that the powerful momentum toward security would one day shift, and that actions taken in the face of immediate danger would eventually be subject to harsh scrutiny. In some cases that scrutiny would result from cooler judgments about real risk, in others from the fickle attention of citizens who, having comfortably forgotten the truly grave threats to the country that followed the first strikes on September 11, 2001, were equally willing to forget the need for exceptional measures and for the exceptional sacrifices that people in and out of uniform were making to protect the country. Yet it was hot-headed to say, as some highly placed politicians were then saying, “Everything has changed now” – that was code for ignoring Constitutional principles on detention and torture – or who said we could not take even a one-percent risk of terrorism. Free societies take constant risks with both crime and terrorism. We could reduce crime to near zero – the Soviets did it. We could probably also reduce the risk of terrorism to near zero – but not a price in liberty we are willing to pay. A society that declares it will take no risk with crime or terrorism defines itself as a police state.

And so on Veterans’ Day it seems to me fit to reflect that it is a citizen’s duty to push these two circles closer together by becoming personally engaged both in the actual state of civil liberty in our land and in the treatment of our veterans. It is not sufficient to thank these men and women for their service. When soldiers, sailors, airmen, and marines return from warfare with broken bodies and shaken minds, they require a consistent and high level of care and training, and they have not had it. We are breaking faith. A nation that taxes itself to make war must also tax itself to care for its warriors.

]]>http://joelbrenner.com/a-reflection-on-veterans-day-2014/feed/0Critical Infrastructure Vulnerabilities Constrain U.S. Freedom of Actionhttp://joelbrenner.com/critical-infrastructure-vulnerabilities-constrain-u-s-freedom-of-action/
http://joelbrenner.com/critical-infrastructure-vulnerabilities-constrain-u-s-freedom-of-action/#commentsThu, 30 Oct 2014 23:38:51 +0000jbrennerhttp://joelbrenner.com/?p=562A few days ago I explained in the Washington Post how the vulnerabilities of our critical infrastructure like banks and the electric grid can affect a President’s freedom of action. TheNew York Times had reported that Mr. Obama specifically asked our intel agencies whether the Russian hack of J.P. Morgan was Putin’s payback for sanctions over Ukraine — an no one could tell him. The question and lack of answer implied that it could have been payback, and that our agencies do indeed think that Russian foreign intelligence services could do serious harm to our critical infrastructure. Whether that attack was the work of a Russian criminal gang operating on its own or at the direction of the Kremlin, isn’t it clear by now that weaknesses in our critical infrastructure can constrain our freedom of action in international affairs? I addressed this topic again today with KT McFarland on Fox.com.

Warlike network operations are important to contemplate, but visions of conflagrations, while they illuminate real risk, obscure the current state of affairs in which threats to our infrastructure can simply make us think twice or thrice before we act, or paralyze us. I call this the grey space between war and peace, and we are in it.

]]>http://joelbrenner.com/critical-infrastructure-vulnerabilities-constrain-u-s-freedom-of-action/feed/0The Chinese Cyber Espionage Indictment: What It Means for Your Companyhttp://joelbrenner.com/the-chinese-cyber-espionage-indictment-what-it-means-for-your-company/
http://joelbrenner.com/the-chinese-cyber-espionage-indictment-what-it-means-for-your-company/#commentsTue, 27 May 2014 15:54:52 +0000jbrennerhttp://joelbrenner.com/?p=546The questions have been coming fast and furious since the Justice Department indicted five Chinese hackers for systematic cyber espionage against five American companies. A few are easy to answer: There’s no realistic possibility that these defendants will be brought to trial, and yes, there will be diplomatic consequences for U.S. China relations and possibly legal consequences for U.S. officials and for private companies doing business in China.

But the hard questions can’t be answered yet. We don’t know what the U.S. government hoped to gain from the unusual step of bringing criminal charges against officials of a foreign nation. We don’t know whether more indictments will follow. We don’t know whether the government or the victim companies will seek civil penalties for the alleged theft of intellectual property. We don’t know whether the indictment also marks the beginning of a diplomatic and perhaps multi-national legal offensive against the theft of intellectual property; and if so, whether an adequate diplomatic groundwork for it has been laid.

Fortunately the officers and directors of companies don’t have to answer those questions. Unfortunately the indictment demonstrates in unusual detail what they do have to worry about: The espionage risk to companies is very real, and the level of information security even in large, sophisticated companies is not keeping up with it. The ease with which the victim companies were allegedly penetrated is stunning.

Viewing the indictment as an isolated event would be a mistake. Here are some of the other pieces of an emerging picture that companies should be looking at:

In February the National Institute of Standards and Technology, known as NIST, published a cybersecurity “framework” outlining steps owners of critical infrastructure should take to protect their networks and information. It’s voluntary, and on its face it applies only to critical infrastructure, but it will be adopted by many organizations as a guide to practice. This is the beginning of an emerging standard of care; in other words, heightened liability.

In April, a federal appeals court refused to throw out the Federal Trade Commission’s case against Wyndham Hotels based on the allegedly insufficient protections in place for the personal and credit card information of hotel guests. This is another harbinger of heightened corporate liability for the insecurity of their networks, and yet another sign of an emerging standard of care.

This spring the BBC reported that Lloyd’s, the insurance syndicate, declined to ensure an unnamed energy companies because of the unsatisfactory state of its network security. If you can penetrate a network remotely to steal information from it, you can penetrate a network to corrupt the information on it or shut it down.

The trend in too many companies is to treat information security as a technological challenge and to push it down to the IT department. This is a strategic error. The failure to adopt available technologies is not a technological challenge. It’s a management failure. And the IT department has nothing to do with the usage rules that companies adopt, or fail to adopt. Legal, contracting, HR, and IT all have a role to play. Information security is a risk-management challenge that requires a unified approach starting with the C-Suite, and companies that don’t manage it that way are likely to find themselves uninsured, uninsurable, and vulnerable to suits by shareholders and customers alike.

Three things drive change in a market economy: market opportunity, liability, and government action through regulation and tax law. Yet none of these forces has had a material effect on cyber security. Even statutes that create liability and define damages for the loss of personal information have had only a minimal effect on security. Nearly four years ago I explained why these forces have proven unimportant. But two factors are now converging that could make liability a bigger driver of security.

The first is the Federal Trade Commission’s decision to use its authority under section 5 (a) of the FTC Act to sue companies for practices that are “unfair” as well as “deceptive.” An example of a deceptive practice would be a company’s maintaining a website advising users that it employs such-and-such a privacy practice when it does not. The FTC’s power in this area is clear, though it has sometimes abused it by imposing 20-year consent decrees with onerous reporting requirements on small firms that have been more clueless than wicked. The other prong of the FTC’s section 5 authority is more contentious because it involves a substantive evaluation of unfairness. In 2012 the Commission tested its authority to apply the unfairness standard to information security when it sued the Wyndham hotel chain for “failure to maintain reasonable security [that] allowed intruders to obtain unauthorized access to the computer networks.” In a nutshell, the FTC asserted that poor security – or perhaps very poor security – of customers’ personal data was a fairness violation that would support injunctive relief.

Earlier this month the federal district court in New Jersey upheld the FTC’s use of the fairness standard of section 5. Wyndham had challenged the complaint on three grounds: (1) that under earlier precedent the FTC was barred from using section 5 to address alleged cybersecurity weaknesses; (2) that the FTC could not use its statutory authority unless it first adopted a formal rule with specific security standards; and (3) that the pleadings were insufficiently specific. The court rejected all three arguments. The court did not find Wyndham violated the act. It simply said that the FTC was not barred from bringing the case on fairness grounds. Nevertheless court’s decision gets the Commission over a big hurdle – at least for the time being. An appeal seems likely.

The second factor that may create liability for poor cybersecurity is the promulgation by the National Institute of Standards and Technology of a series of cybersecurity standards which, though limited in applicability, are likely to affect insurance underwriting. In April 2013, for example, NIST published a fourth revision of security and privacy control standards for federal information systems and organizations. And two months ago NIST published a “framework” that “consists of standards, guidelines, and practices to promote the protection of critical infrastructure.” The first publication applies only to federal systems, the second only to critical infrastructure. But these standards are broadly consistent with the widely used standards of general applicability published by the International Standards Organization, or ISO. Insurers can be expected to adopt these standards in whole or part when making underwriting decisions. Already there have been reports that Lloyds has declined to insure unnamed companies in the electric grid on grounds of poor cybersecurity. These developments represent the gradual emergence of a widely applicable standard of care, without which there can be no generalized negligence liability for maintaining substandard information systems.

These developments will not affect the lack of tort liability for writing and selling unreasonably insecure software. Shrink-wrapped consumer licenses disclaim liability, and they are enforceable. Commercial licenses are not much different. Assuming the FTC’s power under section 5’s unfairness standard is upheld on appeal, will the Commission attempt to impose substantive standards on software? It’s important to remember that the FTC is not writing technical standards, for which we should be grateful. It is simply targeting plainly negligent companies. Nevertheless, if the Commission were to move against a major software vendor to allege that its product was unreasonably bad, it would have a battle royal on its hands. Certainly there would be lots of targets to chose from. This is worth watching.

]]>http://joelbrenner.com/an-emerging-standard-of-care-in-cybersecurity/feed/0Why Isn’t Cyberspace More Secure?http://joelbrenner.com/why-isnt-cyberspace-more-secure/
http://joelbrenner.com/why-isnt-cyberspace-more-secure/#commentsMon, 21 Apr 2014 14:58:06 +0000jbrennerhttp://joelbrenner.com/?p=525Note: This article first appeared in Communications of the ACM 53:11 (November 2010).

In cyberspace it’s easy to get away with criminal fraud, easy to steal corpo­rate intellectual property, and easy to penetrate governmental networks. This spring the new Commander of USCYBERCOM, NSA’s General Keith Alexander, acknowledged for the first time that even our classified networks have been penetrated.[1] Not only don’t we catch most fraud artists, IP thieves, and cyber spies – we don’t even know who most of them are. Yet every significant public and private activity – economic, social, governmental, military – depends on the security of electronic systems. Why has so little happened in 20 years to alter the fundamental vulnerability of these systems? If you’re sure this insecurity is either (a) a hoax or (b) a highly desirable form of anarchy, you can skip the rest of this article.

Presidential Directives to Fix This Problem emerge dramatically like clockwork from the White House echo chamber, chronicling a history of execu­tive torpor. One of the following statements was made by President Obama in 2009, the other by President George H.W. Bush in 1990. Guess which is which:

“Telecommunications and information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation, as well as other dimensions of the foreign intelligence threat.”. . . . ”

“The architecture of the Nation’s digital infrastructure, based largely on the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intru­sions and operations.”

Actually, it doesn’t much matter which is which. [2] In between, for the sake of non-partisan continuity, President Clinton warned of the insecurities created by cyber-based systems and directed in 1998 that “no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish” our security.[3] Five years later would have been 2003.

In 2003, as if in a repeat performance of a bad play, the second President Bush stated that his cybersecurity objectives were to “[p]revent cyber attacks against America’s critical infrastructure; [r]educe national vulnerability to cyber attacks; and [m]inimize damage and recovery time from cyber attacks that do occur.”[4]

These Presidential pronouncements will be of interest chiefly to historians and to Congressional investigators who, in the aftermath of a disaster that we can only hope will be relatively minor, will be shocked, shocked to learn that the nation was electronically naked.

Current efforts in Washington to deal with cyber insecurity are promising – but so was Sisyphus’ fourth or fifth trip up the hill. These efforts are moving at a bureaucratically feverish pitch – which is to say, slowly – and so far they have produced nothing but more declarations of urgency and more paper. Why?

Lawsuits and Markets

Change in America is driven by three things: liability, market demand, and regulatory (usually federal) action. The role and weight of these factors vary in other countries, but the U.S. experience may nevertheless be instructive transnationally since most of the world’s intellectual property is stored here, and the rest of the world perceives U.S. networks as more secure than we do.[5] So let’s examine each of these three factors.

Liability has been a virtually non-existent factor in achieving greater Internet security. This may be surprising until you ask: Liability for what, and who should bear it? Software licenses are enforceable, whether shrink-wrapped or negotiated, and they nearly always limit the manufacturer’s liability to the cost of the software. So suing the software manufacturer for allegedly lousy security is a game not worth the candle. What are the damages, say, from finding your computer is an enslaved member of a botnet run out of Russia or Ukraine? And how do you prove the problem was caused by the software rather than your own sloppy online behavior?

Asking Congress to make software manufacturers liable for defects would be asking for trouble: All software is defective, because it’s so astoundingly complicated that even the best of it hides surprises. Deciding what level of imperfection is acceptable is not a task you want your Congressman to perform. Any such legislation would probably drive some creative developers out of the market. It would also slow down software development – which would not be all bad if it led to higher security. But the public has little or no understanding of the vulnerabilities inherent in poorly developed applications. On the contrary, the public clamors for rapidly developed apps with lots of bells and whistles, so an equipment vendor that wants to control this proliferation of vulnerabilities in the name of security is in a tough spot.

Banks, merchants, and other holders of personal information do face liability for data breaches, and some have paid substantial sums for data losses under state and federal statutes granting liquidated damages for breaches. In one of the best known cases, Heartland Payments Systems may end up paying about $100 million as a result of a major breach, not to mention millions more in legal fees. But the defen­dants in such cases are buyers, not makers and designers, of the hardware and software whose deficiencies create many (but not all) cyber insecurities. Liability presumably makes these companies somewhat more vigilant in their business practices, but it doesn’t make hardware and software more secure.

Many major banks and other companies already know they have been persistently penetrated by highly skilled, stealthy, and anonymous adversaries, very likely including foreign intelligence services and their surrogates. These firms spend millions fending off attacks and cleaning their systems, yet no forensic expert can honestly tell them that all advanced persistent intrusions have been defeated. (If you have an expert who will say so, fire him right away.)

In an effective liability regime, insurers play an important role in raising standards because they tie premiums to good practices. Good drivers, for example, pay less for auto insurance. Without a liability dynamic, however, insurers play virtually no role in raising cyber security.

If liability hasn’t made cyberspace more secure, what about market demand? The simple answer is that the consuming public buys on price and has not been willing to pay for more secure software. In some cases the aftermath of identity theft is an ordeal. In most instances of credit card fraud, however, the bank absorbs 100% of the loss, so their customers have little incentive to spend more for security. (In Britain, where the customer rather than the bank usually pays, the situation is arguably worse because banks are in a better position than customers to impose higher security requirements.) Most companies also buy on price, especially in the current economic downturn.

Unfortunately we don’t know whether consumers or corporate customers would pay more for security if they knew the relative insecurities of the products on the market. As J. Alex Halderman of the University of Michigan recently noted, “most customers don’t have enough information to accurately gauge soft­ware quality, so secure software and insecure software tend to sell for about the same price.”[6] This could be fixed, but doing so would require agreed metrics for judging products and either the systematic disclosure of insecurities or a widely accepted testing and evaluation service that enjoyed the public’s confidence. Consumer Reports plays this role for automobiles and many other consumer products, and it wields enormous power. The same day that CR issued a “Don’t buy” recommendation on the 2010 Lexus GX 460, Toyota took the vehicle off the market. If the engineering and computer science professions could organize a software security laboratory along the lines of CR, it would be a public service.

Federal Action

Absent market- or liability-driven improvement, there are eight steps the federal government could take to improve Internet security, and none of them would involve creating a new bureaucracy or intrusive regulation:

Use the government’s enormous purchasing power to require higher security standards of its vendors. These standards would deal, for example, with verifiable software and firmware, means of authentication, fault tolerance, and a uniform vocabulary and taxonomy across the government in purchasing and evaluation. The Federal Acquisition Regulations, guided by the National Institute of Standards and Technology, could drive higher security into the entire market by ensuring federal demand for better products.

Amend the Privacy Act to make it clear that Internet Service Providers (ISPs) must disclose to one another and to their customers when a customer’s computer has become part of a botnet, regardless of the ISP’s customer contract, and may disclose that fact to a party that is not its own customer. ISPs may complain that such a service should be elective, at a price. That’s equivalent to arguing that cars should be allowed on the highway without brakes, lights, and seatbelts. This requirement would generate significant remedial business.

Define behaviors that would permit ISPs to block or sequester traffic from botnet-controlled addresses – not merely from the botnet’s command-and-control center.

Forbid federal agencies from doing business with any ISP that is a hospitable host for botnets, and publicize the list of such companies.

Require bond issuers that are subject to the jurisdiction of the Federal Energy Regulatory Commission to disclose in the “Risk Factors” section of their prospectuses whether the command-and-control features of their SCADA networks are connected to the Internet or other publicly accessible network. Issuers would scream about this, even though a recent McAfee study plainly indicates that many of them that do follow this risky practice think it creates an “unresolved security issue.”[7] SCADA networks were built for isolated, limited access systems. Allowing them to be controlled via public networks is rash.

Increase support for research into attribution techniques, verifiable software and firmware, and the benefits of moving more security functions into hardware.

Engage like-minded governments to create international authorities to take down botnets and make naming-and-addressing protocol harder to spoof.

Political Will

These practical steps would not solve all problems of cyber insecurity but they would dramatically improve it. Nor would they involve government snooping and or re-engineering the Internet or other grandiose schemes. They would require a clear-headed understanding of the risks to privacy, intellectual property, and national security when an entire society relies for its commercial, governmental, and military functions on a decades-old infor­mation system designed for a small number of university and government researchers.

Translating repeated diagnoses of insecurity into effective treatment would also require the political will to marshal the resources and effort necessary to do something about it. The Bush Administration came by that will too late in the game, and the Obama Administration has yet to acquire it. After his inaugu­ration, Obama dithered for nine months over the package of excellent recom­mendations put on his desk by a non-political team of civil servants from several departments and agencies. The Administration’s lack of interest was palpable; its hands are full with two wars, health care, and a bad economy. In difficult economic times the President naturally prefers invisible risk to visible expense and is under­standably reluctant to increase costs for business. In the best of times cross-departmental (or cross-ministerial) governance would be extremely difficult – and not just in the United States. Doing it well requires an inter-departmental organ of directive power that can muscle entrenched and often parochial bureaucracies, and in the cyber arena, we simply don’t have it. The media, which never tires of the cliché, told us we were getting a cyber “czar,” but the newly created cyber “Coordinator” actually has no directive power and has yet to prove his value in coordinating, let alone governing, the many departments and agencies with an interest in electronic networks.

And so cyber-enabled crime and political and economic espionage continue apace, and the risk of infrastructure failure mounts. As for me, I’m already drafting the next Presidential Directive. It sounds a lot like the last one.